At the time, the Victorian Health Complaints Commissioner confirmed there was no legal requirement for the patients to be notified, leaving them unaware that highly-sensitive information about their medications, diagnoses, surgeries and mental health conditions had been disclosed so publicly.

Data breaches are increasingly common, with an estimated 10 billion breached globally in the past five years. Picture: Samuel Zeller/Unsplash

This was just one breach among many.

Globally, high-profile breaches have been reported by large internationals like Adobe, Dropbox and Uber. The website breachlevelindex estimates that nearly 10 billion records have been breached since 2013.

In response, the Commonwealth Notifiable Data Breaches scheme, which began in February 2018, has changed the rules here in Australia. The private hospital would now be required not only to let the affected patients know about the breach but also to advise them of any steps they should take.

What is the Notifiable Data Breaches scheme?

The Notifiable Data Breaches scheme was introduced into the Commonwealth Privacy Act 1988. The new provisions reflect a trend towards similar schemes around the world, including in most US states and the European Union, but Australia’s attempt is more limited in scope than some.

The scheme applies to Commonwealth government agencies, businesses and non-profit organisations that have an annual turnover in excess of AU$3 million, as well as private sector healthcare providers, credit reporting bodies, credit providers and tax file number recipients. But many organisations are exempt: some small businesses, registered political parties, and state and territory authorities – including public hospitals.

Under the Notifiable Data Breaches scheme, if there is unauthorised access to, disclosure of, or loss of personal information, and this is likely to result in serious harm to a person to whom the information relates, then the organisation that held the information must report the breach to the Australian Information Commissioner as well as notify the person affected.

There are provisions in the Privacy Act to help organisations assess the ‘likelihood of serious harm’ and decide whether they must report the breach. Taking successful remedial action that ameliorates the likelihood of serious harm, like changing access controls on hacked accounts before unauthorised access can occur, in turn, does away with the notification requirement.

So far, so good.

The new law is designed to minimise the harm caused to people when their data is lost or inappropriately accessed, because once they know about it they can act to protect themselves - like cancelling bank cards or changing passwords.

Digital health records are particularly vulnerable, with a recent US survey finding a surprisingly high number of health employees would be wiling to sell patient data. Picture: imgix/Unsplash

In theory, organisations should be motivated to tighten their security measures to avoid adverse publicity through mandatory disclosure of breaches (backed by fines for non-disclosure). This should have the knock-on effect of making it more difficult for hackers to steal personal data.

But will it work?

The legislation only came into force in February, so it’s too early to say what effects it will have. The Office of the Australian Information Commissioner (OAIC) has certainly been doing its best to draw attention to the new provisions.

First, thanks to Australia’s patchwork of Commonwealth and state privacy laws, many organisations that hold a large amount of sensitive personal data are exempt from the new scheme (like state-based entities), while others are unexpectedly caught by it. So the local naturopath has an obligation to report, while major public hospitals do not. And there’s no sign this issue will be addressed.

Major threats to personal data in Australia lie with state health authorities, which fall outside the scheme. The Victorian Auditor-General’s Office, in a 2016-17 report, identified IT security as the most substantial and long-standing problem facing public hospitals, highlighting the risk of “disgruntled employees or hackers circumventing security processes and stealing or altering hospital financial or patient data”.

This risk was underlined by a recent US survey indicating nearly one in five health employees would be willing to sell confidential data for as little as $500.

Second, the 30-day period companies have to investigate a breach could prevent consumers being able to take rapid steps to secure their data. Similar breach notification requirements in Europe require notification to a supervisory authority within 72 hours (where there is a risk to an individual’s rights and freedoms) and notification to the individual directly without “undue delay” (where there is a high risk to individuals).

Third, the hope that the notification scheme will spur organisations to enhance security may be undermined by ambivalence. Despite the OAIC roadshow promoting the scheme, many businesses remain unaware of the new provisions, unconcerned about the risk of data loss and poorly prepared to protect people’s information.

Uber tried to cover up a large breach of its users’ data in 2017. Picture: Wikimedia

Penalties for not reporting breaches, in the context of the outsize budgets of major companies and Commonwealth agencies, are relatively light, with fines of up to AU$2.1 million for corporations. Many may see the cost of compliance with the scheme as higher than the penalty – assuming a penalty is even enforced.

At this stage the OAIC has been given no additional budget to police the new provisions. Large corporations may opt to cover up a breach to protect their reputation. The ride-sharing company Uber did just that in 2017, reportedly paying those who hacked the records of 57 million Uber users US$100,000 to delete the data.

What’s next?

The Notifiable Data Breaches scheme is a starting point, but there’s more to be done.

Joined-up laws across all states and territories that reflect the Commonwealth scheme would give people clarity and certainty about what would happen if their data was hacked, and would motivate organisations at all levels to get their security in order.

Stronger penalties and increased funding to the OAIC to enforce the Notifiable Data Breaches scheme could also be options worth considering.

Nearly everyone is vulnerable to their personal information being exposed publicly; keeping one step ahead of breaches has become an essential task of governments and corporations.

Now, at least, unmasking this problem will allow for more effective monitoring and enforcement of breaches in the future.

Privacy Statement

The University of Melbourne (University) collects, uses, handles and discloses personal information in accordance with the Privacy and Data Protection Act 2014 (Vic) (Act) and other applicable legislation.

This Privacy Statement relates only to the collection of personal information in relation to the Pursuit Website. Please refer to our Privacy Policy and Privacy Statement for the University of Melbourne Website for information in relation to the broader practices in relation to the collection, use handling and disclosure of personal information by the University.

Definition of Personal Information

“Personal information” is defined under the Act to mean information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001(Vic) applies.

Collection of Personal Information by the University in relation to Pursuit

The University may collect, store and handle personal information about you including but not limited to your name and email address for the sole purpose of allowing you to subscribe to Pursuit’s weekly digest of cutting-edge research findings and expert commentary.

Disclosure of Personal Information

The University would seek your prior written consent before using your personal information for any purpose other than that which is described above and before disclosing your personal information to any third party.

Access to Your Personal Information

You can access any personal information the University holds about you by contacting the University’s Privacy Officer at privacy-officer@unimelb.edu.au.